"Prevent Intrusions into Your Computer System (Part 1 of 2)"
A step-by-step guide to stopping both external and internal mischief
by Gil Weber, MBA
Adapted with permission from Ophthalmology Management
© Copyright, 2002. All rights reserved.
We get constant, worrisome news these days regarding computers and Internet security. As the technologies in hardware and software improve and we can work more efficiently and productively with our computers, we're simultaneously exposed to the "dark side."
We're regularly encountering newer and more destructive computer viruses, worms, and Trojan Horses. We've all suffered the frustrating e-mail and browser slowdowns caused by "denial of service" attacks against Internet service provider networks and company servers. And we see frequent news reports of hackers breaking into systems and, in some cases, doing malicious damage, such as deleting or stealing files and defacing Web sites.
HIPAA (the Health Insurance Portability and Accountability Act) will place new, tough security requirements on every practitioner's office computer system. Failure to adequately and appropriately protect your computer system from unauthorized external and internal access to -- and transmission of -- protected health information could prove disastrous. In the next year you're sure to see third-party payers amending provider agreements to require that practices have protocols in place to monitor and assure computer system security.
In this article, I'll give you some suggestions on ways to make it harder for those outside the practice to identify and access your system, probe it, and compromise the data. You can implement all of these ideas with the guidance of someone who knows how to set up, configure and secure small-scale computer networks. Next month, I'll tell you how to protect your system from internal mischief.
Protecting Internet Connections
If you've ever suffered the seemingly interminable wait for a traditional dial-up connection to download your e-mail or connect your browser to the World Wide Web, then you've probably considered switching to a high-speed connection. Perhaps you've considered cable, or perhaps a direct subscriber line (DSL) or one of its variants.
A high-speed, or broadband, connection will dramatically improve your upload and download performance when connecting to the Internet. But if you're not careful, there's a significant, downside risk. Fortunately, as I will explain below, it can be easily fixed.
Unlike slower dial-up, which only connects your computer to the outside world when you click on the dialer button or icon, high-speed connections typically are "always on." That is, by default you're always connected to the Internet. This constant exposure makes your computer more vulnerable to hackers who search for open Internet connections using special programs such as port scanners. These high speed automated search programs find vulnerable computers, log Internet addresses, and then allow hacking at will.
That's the Jekyll and Hyde dichotomy of high-speed Internet connection. It's very fast and productive, but can be very vulnerable if you fail to take appropriate security precautions.
So let's say you have or are going to get DSL. Here's what you can do to make it more secure:
Configure for "Dial on Demand"
Your first security step is to disable the "always on" default setting for DSL. Reconfiguring a DSL system to dial on demand means that when you click on your e-mail or browser programs the DSL line opens and connects to the Internet almost instantly. If you also set a very low "idle time" (the period of process inactivity after which the DSL line automatically disconnects) -- say around 60 seconds -- you'll get the high-speed access you want when and as you need it, but without leaving your system exposed to port scanning probes at those times when you're not going on to the Internet, such as after business hours.
Properly configured, there's virtually no downside to using dial on demand. Unlike dial-up, you're not at perpetual risk of losing a good connection and, therefore, naturally reluctant to disconnect. Thus, dial on demand significantly narrows the windows of opportunity for those who'd try to compromise your system from the outside.
Use a Router and Firewall(s)
In an office environment you're certainly going to have multiple computers and workstations linked into a network. No matter what type of Internet connection you have, you should use a router, also known as a hub/modem, with a built-in "firmware" firewall and a user-selectable password feature as the gateway for your Internet connection and as the distribution point to your network and its satellite terminals. Your Internet connection should never go directly to an unprotected Internet gateway computer that then distributes to other computers in your network. (Note: be sure to change the default password in the router.)
You should also consider using a software firewall to protect the system. The software firewall should be a demonstrated, quality product that protects you from unauthorized, inbound probes. But you also want to be certain that it protects your system from unauthorized outbound transmissions (e.g., preventing your computer from "calling home" to a hacker's computer if he has surreptitiously planted a program in your system that transfers data from your hard drive to his).
Unfortunately, there are a lot of essentially useless software firewall products on the market that don't protect you from a sneeze much less a hacker's calculated assault. So you'll want to do some research. For a primer on firewalls read Firewalls for Beginners at http://www.securityfocus.com/infocus/1182.
Add a "DMZ" Computer
I recommend adding a DMZ computer to your system. The DMZ -- as in demilitarized zone -- computer is, in essence, a trap for intrusive probes. When an inquiry signal from the outside world tries to get into your system the router described above first directs that inquiry to the DMZ computer.
The DMZ is programmed to check the inquiry. If not authorized to go any farther, the signal is contained in what essentially becomes a black hole.
It's the ultimate firewall, if you will. And, best of all, the average hacker probably won't know what happened to his probe or why it failed. He'll only know that it was unsuccessful, and then he'll probably move on in search of other, easier pickings.
A foiled hacker is like a burglar who bypasses your house when he sees evidence of an alarm system, that's just fine. Make him go elsewhere to do his mischief.
Your DMZ computer doesn't have to be an expensive, state-of-the-art system. An early Pentium or even a 486 with a little memory and a small hard drive will work just fine.
Securing Medical Records
But maybe you're looking for something that's 100% secure. There is a way to secure your records from outside intrusion, however it comes with a price.
If you want to be totally certain that nobody from the outside can probe and compromise the protected health information (PHI), cut the connection between the outside world and your patient records. Keep whatever business records are needed on machines that can connect to the Internet, but keep PHI on machines that can't. Then a successful hacker's attack will be limited to your business records. (That's bad enough, certainly, but less problematic, vis-à-vis HIPAA, than a breach of medical records confidentiality.)
Of course, placing the PHI on a computer that can't access the Internet would prevent most practices from electronically transmitting medical records to other healthcare providers or to insurance companies. But is that a significant issue? It depends. You'd be forced to send such records by fax or mail/courier. But maybe that's OK. For most practices, either method would be more secure than sending PHI as an e-mail attachment. Remember, whether you send data via e-mail or FTP (file transfer protocol), unless it's encrypted anything you send over the Internet can be read by others, authorized or not, along the transmission path. That's a big HIPAA sore thumb.
And, besides, to transmit clear electronic copies of medical records that could be read by an authorized recipient, you'd probably need to convert the documents to a .pdf format (Adobe Acrobat), or something similar. That's a lot of extra work.
The real problem, of course, is that you must be able to submit claims electronically -- to Medicare and to other third-party insurers. And sometimes those claims submissions necessitate attaching support documentation from the confidential medical records. If the PHI is on a different computer what do you do?
One possible solution is to work with a computer security expert and set up a methodology by which you can transmit encrypted batchloads of claims that would include any support documentation. For some, this might mean temporarily placing the batchload file(s) on a terminal linked to the Internet, transmitting to the payer, and then removing the temporary file(s) immediately a transmission is completed.
A simpler method would be to "burn" (record) the batchloaded claims onto a CD, and then use that CD to transmit the claims from one of your Internet-connected computers. This is an attractive solution since it's almost fail-safe; the CD's contents would never actually be loaded onto the transmitting computer's hard drive.
And the CD can be archived securely so that you have a permanent record of each day's work. (Note: If archiving CDs becomes a storage challenge you can always put in an optical disk system that records many gigabytes of data on each optical disk.)
There are other possible solutions, of course, but each must be tailored to the specific needs of the practice while still addressing HIPAA requirements.
Be Cautious with Web Site Servers
Hosting your own practice Web site can create potential security problems. You want the public to have easy access to that site, but when you host your own Web site you're publishing your Internet protocol address to the world, and if you were to host your Web site on the same office server as holds confidential data, that could dramatically increase opportunities for a hacker to breach your system and get to the PHI.
This is a particular problem if you're using Windows NT/Windows 2000 server software. Windows servers use Microsoft's IIS (Internet Information Service), a protocol with lots of documented security holes. Many IT (information technology) experts have warned against using IIS, but the message doesn't seem to have filtered down to many end-users.
If a hacker can get to your Web site, by hacker standards, a fairly easy penetration, and if your patient files are on the same server or another computer connected to it, you're probably looking at a potential security breach and a big headache for everyone involved. So never have patient or business information on any Web site server.
Consider having your Web site hosted by someone else -- using an IP address that can't be tied to your office. I strongly recommend that whatever else you might do to address computer security, break any connection between the medical/accounting records and a Web site server.
Now, all of the above might seem like a time-consuming, costly and inconvenient process. And it probably will be. That's what HIPAA is all about. But your bottom-line concern must be protecting the patient records. And that's what the federal government wants to drive this entire exercise.
Special thanks to software designer and systems consultant Rick Downes of RadSoft (http://radsoft.net) and Michael Lockard, administrator at Talley Medical-Surgical Eye Care Associates, for their contributions to this series. For an excellent guide on computer attacks and defending against them, read Counter Hack by Ed Skoudis (Prentice Hall). For a primer on network connections and Internet security see Linksys at www.linksys.com/edu
Gil Weber is an author, lecturer and practice management consultant to the managed care and ophthalmic industries. He has served as Managed Care Director for the American Academy of Ophthalmology.